Home Security B0r0nt0k Ransomware – What is it & How To Remove It?

B0r0nt0k Ransomware – What is it & How To Remove It?

51
0

What is B0r0nt0k Ransomware? will be explained in depth in this article. Possibly the ransomware known as “Borontok.” How to uninstall B0r0nt0k Ransomware from a WordPress site. Before we go into the intricacies, it’s important to understand what ransomware is.

What is a Ransomware?

Malware, sometimes known as ransomware, is a type of harmful software. It’s more complicated than ordinary malware, which encrypts the machine and only decrypts it after the payment is paid.

What is the Purpose of Ransomware?

Ransomware attacks are mostly motivated by financial gain. When it comes to ransomware, things are a little different because you are informed that an exploit has been used and instructions are provided on how to recover from the attack. In such cases, a virtual money like bitcoin is usually sought to conceal the cyber criminal’s identity.

How is Ransomware Distributed?

Infected software apps, email attachments, hijacked websites, and external storage devices are all avenues for ransomware to propagate. A large number of assaults have recently been carried out using a remote desktop protocol that does not involve any user participation.

Types of Ransomware

There are two varieties of ransomware that are currently in use:

  • Ransomware that uses powerful encryption methods to encrypt data. Its purpose is to encrypt system data and demand payment in order to supply the victim with the key to decrypt the information. CryptoLocker, Locky, CrytpoWall, and other programmes are examples.
  • Locker ransomware prevents the victim from accessing the desktop, apps, or data by locking them out of the operating system. Despite the fact that the files are not encrypted in this scenario, the attackers demand a ransom to unlock the infected PC. Ransomware with a police motif, such as Winlocker, is one example.

Some locker versions have the ability to infect the Master Boot Record as well (MBR). The MBR is the part of a computer’s hard drive that allows the operating system to start.

Technically, ransomware has been around since the 1990s, but it has really taken off in the last five years. The availability of untraceable payment mechanisms such as Bitcoin is the primary reason for its widespread acceptance. Here are a few of the most important:

CryptoLocker

This is a sort of Trojan ransomware that was first released in 2013 and has infected over 500,000 machines. It spreads via a botnet or through hacked email attachments. When this ransomware is downloaded and launched, it begins looking for specific file types to encrypt.

This encryption is done using RSA public key cryptography, and the private key is subsequently sent to some distant servers. It also requests that the system’s owner pay a ransom to decode or recover the files that have been encrypted. If the owner fails to do so, the private key is lost.

B0r0nt0k

This ransomware is a malware that encrypts files. This virus encrypts files on the linux server and appends the.rontok extension to them. This is a dangerous cyber attack that not only impacts your data but also causes alterations to –

  • Startup options have been changed.
  • Registry entries have been added.
  • Added programmes or files
  • Functions or programmes that have been disabled

TeslaCrypt

This is a ransomware variant that mostly targets gaming files. This one encrypts the files on the computer and demands a ransom to get the decryption key. Normal access to the impacted files can be gained with the help of the decryption key.

SimpleLocker

This ransomware assault, which became prevalent in late 2015 and early 2016, mostly targeted mobile phones. This malware also encrypts the data, rendering them inaccessible unless the fraudster is there.

WannaCry

WannaCry is another type of ransomware that goes by the names WannaCrypt, WannaCryptor, and Wanna Decryptor. This ransomware will encrypt your device (computer, tablet, or smartphone), infect your files, and display a message demanding a payment.

You will be requested to pay a ransom via Bitcoin as a victim. The files will only be delivered once the scammer has received payment; however, if the amount is not paid, the data will be destroyed. On the downside, paying the ransom does not guarantee that the encrypted data will be recovered.

NotPetya

NotPetya affected thousands of systems in over 100 countries in a matter of days in 2017, just weeks after WannaCry. This ransomware uses the same WannaCry exploit as WannaCry. This ransomware differs from other ransomware in that its primary goal is to cause disruption.

Locky

IT professionals identified this ransomware, which was released in 2016. Scammers used to send infected emails requesting payment via an invoice that was attached to a malicious Microsoft Word document with infected macros.

When the user views the document, a pop-up message appears that says, “Enable macro if data is inaccurate,” which is a classic approach of deceiving the user while also affecting the system.

These were just a few examples of typical ransomware. Let us concentrate our attention on the most recent ransomware, B0r0nt0k. What this new ransomware is and how to get rid of it.

What is B0r0nt0k ransomware?

The B0r0nt0k Ransomware is a file encryptor threat that first surfaced on February 25th, 2019, when site owners discovered files with unusual names and the ‘.rontok’ extension.

Borontok is a ransomware that has just appeared in the threat landscape. The virus’s primary target is Linux-based websites and servers, although it also poses a threat to Windows-based systems. The attackers are demanding 20 bitcoins (approximately $75,000) as a ransom for the data recovery. The files that are affected have the rontok extension. Furthermore, it was encoded using the base64 technique.

The attackers injected a small program that encrypted generic data containers along with some site configuration files. Affected server administrators may find that the data with the following extensions is no longer available:

.PNG, .PSD, .PSPIMAGE, .TGA, .THM, .TIF, .TIFF, .YUV, .AI, .EPS, .PS, .SVG, .INDD, .PCT, .PDF, .XLR, .XLS, .XLSX, .ACCDB, .DB, .DBF, .MDB, .PDB, .SQL, .APK, .APP, .BAT, .CGI, .COM, .EXE, .GADGET, .JAR, .PIF, .WSF, .DEM, .GAM, .NES, .ROM, .SAV, .DWG, .DXF, .GPX, .KML, .KMZ, .ASP, .ASPX, .CER, .CFM, .CSR, .CSS, .HTM, .HTML, .JS, .JSP, .PHP, .RSS, .XHTML, .DOC, .DOCX, .LOG, .MSG, .ODT, .PAGES, .RTF, .TEX, .TXT, .WPD, .WPS, .CSV, .DAT, .GED, .KEY, .KEYCHAIN, .PPS, .PPT, .PPTX, .INI, .PRF, .HQX, .MIM, .UUE, .7Z, .CBR, .DEB, .GZ, .PKG, .RAR, .RPM, .SITX, .TAR.GZ, .ZIP, .ZIPX, .BIN, .CUE, .DMG, .ISO, .MDF, .TOAST, .VCD, .SDF, .TAR, .TAX2014, .TAX2015, .VCF, .XML, .AIF, .IFF, .M3U, .M4A, .MID, .MP3, .MPA, .WAV, .WMA, .3G2, .3GP, .ASF, .AVI, .FLV, .M4V, .MOV, .MP4, .MPG, .RM, .SRT, .SWF, .VOB, .WMV, .3D, .3DM, .3DS, .MAX, .OBJ, .BMP, .DDS, .GIF, .JPG, .CRX, .PLUGIN, .FNT, .FON, .OTF, .TTF, .CAB, .CPL, .CUR, .DESKTHE, EPACK, .DLL, .DMP, .DRV, .ICNS, .ICO, .LNK, .SYS, .CFG.

A ransom note is displayed on the web browser screen. It also contains the UUID of the user that is required in the later stages bortontok.uk is visited. The ransomware actors appear to request payments that go up to 20 Bitcoin (≈$75,000/€66,900) and may use the ‘info@borontok.uk’ email account to reach out to the victims.

When a user enters their ID on the page, the scammers demand 20BTC and give them three days to complete the payment or their data would be forever deleted. This payment should be made via the website’s provided form. Even if the user pays, there is no guarantee that the data will be decrypted.

Hidden Damage

2-Spyware.com advises that a cryptovirus like B0r0nt0k can disable security tools or other features in order to keep functioning without interruption. If the B0r0nt0k ransomware is not removed, it might cause more serious damage to the machine.

While it’s unclear how the B0r0nt0K ransomware got a footing on the Linux servers in question, it’s usually due to server misconfigurations or the use of out-of-date software with known remote code execution vulnerabilities.

Take Backups

B0r0nt0K and other ransomware attacks target on enterprises that aren’t prepared. If you don’t have a recent backup and have been infected with the B0r0nt0k ransomware, you could be in serious trouble.

However, recovering backups after a ransomware attack is still a time-consuming procedure, so you should take precautions to avoid infection in the first place. Applying the most recent security patches to your applications and servers is the single most essential step you can take to strengthen your defences, yet it is not sufficient. Intrusion prevention services to block application exploits, as well as advanced malware-detection solutions that use machine learning and behavioural detection to identify evasive payloads, are all needed to combat ransomware.

What Else Can I Do?

Close the SSH (secure shell) and FTP (file transfer protocol) ports to prevent B0r0nt0K from gaining access to your Linux server.

  • Restore the site from backups or source control;
  • All admin passwords should be changed;
  • Examine the software stack for known vulnerabilities that could have let the attacker in, and apply patches as needed.
  • Examine the configuration of the site for any flaws;
  • Disable any services that aren’t absolutely necessary, and close any open ports;
  • Make sure the backups are working; and
  • Perform a penetration test on the network’s Internet-facing footprint.

Is Your WordPress Website Infected – B0r0nt0k Ransomware Removal

Here is a method to help you discover and eradicate borontok ransomware as a website owner.

Scan Your Website

Various programmes can remotely check your website for dangerous payloads and malware locations. WP Hacked includes a free WordPress plugin that may be found in the WordPress repository.

To look for WordPress exploits —

  • Visit the WP Hacked Help website for more information.
  • Scan the webpage by using the scan button.
  • Make sure you read the notification if the website is contaminated.
  • If there are any payloads or locations available, make a note of them.
  • It is critical to keep track of any blacklist warnings.

Analyze the Files Names

You may check for ransomware on your linux server/website by checking the file renames thoroughly. It’s unusual to have numerous renames on your machine. If there are, it’s a sure sign that ransomware has infected your machine. You may also look up some prominent websites to have a better understanding of all the files that the malware uses.

Consider Looking at your Extension Files

Examining your extension files is one of the simplest ways to analyse your website for malware. Almost every ransomware has a unique file extension. This makes determining which ransomware has infected your machine a lot easier.

Checking Core File Integrity

The majority of WordPress’s core files should not be changed. It’s critical that you verify the wp-admin, root directories, and wp-includes folders for any issues with integrity. To check the integrity of your WordPress core files, run the diff tool in the terminal.

Check Recently Modified Files

There’s always the risk that the hack includes new or recently updated files. If you wish to manually check the recently updated files —

  • You may easily log onto your server using an FTP client or an SSH terminal.
  • If you’re using SSH, you can easily list all modified files in the last 15 days with the following command —
$ find ./ -type f -mtime -15
  •      In case you are using SFTP, you can have a closer look at the last modified date for the files on your server.
  •      Closely check all the files that have recently modified.

On Linux, you can check the recently modified files with the help of terminal commands –

  •      Type in your terminal –
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
  •      If you want to have a look at the directory files, type in your terminal –
$ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
  •      If you are using SFTP, you can have a closer look at the last modified date column for all files on the server.
  •      If you find unfamiliar changes in the last 7-30 days, they may be suspicious.

Take Backup of your Website

There are a variety of WordPress backup plugins available, and selecting the best one is a difficult challenge. But, if you’re searching for a simple and secure way to back up your WordPress blogs and websites, BackupBuddy is the way to go. The following are the main features of this plugin:

Hourly Database Backups –

For backup schedules, this plugin provides nine different interval settings. This feature is particularly useful during a high-traffic event on your website, such as a sale.

It’s under Schedules > Add New Schedule section > Backup Intervals is a dropdown menu.

Files Only Backup

As a user, you have the option of creating a new backup profile that solely backs up the files on the website. There are times when your database isn’t as critical as it once was, or when only a few files from a backup are necessary. For example, if you have a lot of huge photos and video files (self-hosted), you’ll probably want to separate your backups to make them run faster.

Located in Backup > + > Backup Profile Type dropdown

Backup Notes

It’s simple to add a short comment to the backup files using this capability. This can be used to make notes about when the backup was created or to remind yourself to transfer the backup elsewhere at a later time.

Located in Backup > Local Backups section. Hover over the backup file name to see the “Note” link

Database Repair

You don’t need a separate optimization plugin if you’re using Backup Buddy. This plugin has the capability of checking and repairing databases. All you have to do is go to the Server Tools menu item and select the Database tab. All you have to do is hover over an item to see the check and repair action links.
It’s under the Server Tools > Database tab.

Let us now turn our attention to backing up your WordPress website without the need of a plugin. This section is separated into two categories: automatic and manual.

Automatic WordPress Backups

This form of backup happens on its own. At the server level, backups are also possible. Automatic backups are available on many WordPress-friendly servers. Additionally, if you choose to use a premium hosting provider, you can expect certain extra benefits.

Manual WordPress Backups

While server-level automatic backups are a considerably more handy and current way, you prefer that other copies of your website be saved in separate locations. Here are several options for performing a manual backup of your files and databases. –

Through Your Host

You can back up your entire website with the help of cPanel. Your cPanel may have a varied appearance depending on your host. If you are using Bluehost, you have the option of making a backup of –

  • Website files
  •    Full cPanel Backup
  •    Home Directory
  •    MySQL Databases

If you have created email addresses on the server, you can instantly restore your emails. It’s a piece of cake to download a backup. Then comes the download of a zip or tar file.

You can also save these files to the iCloud, a thumb drive, an external hard drive, or your computer to keep them secure.

Through phpMyAdmin

Using phpMyAdmin to back up your database entails making a copy of your database tables. They should also be exported to your local computer or wherever else you want to save them. Here are the backup procedures to follow:

  • Logging into your web hosting account’s cPanel is the first step. Go to phpMyAdmin and select the databases.
  • You must now enter your username and password to access phpMyAdmin.
  • You can either go to the databases tab on the top navigation tabs or go to the databases tab on the left side. This will give you access to all of your databases.
  • You must select the databases you want to copy here. When you’re finished, go to the export tab.
  • Make sure you only click the Add Drop Table box before pressing the export button.
  • Finally, press the ‘save as file’ button before pressing the ‘go’ button. Save a copy of your MySQL database to your computer at this point. If your database is large, you can also save it as a compressed or zipped file.

PREVENTIVE MEASURES

Employ Sacrificial Network

The ransomware’s principal strategy is to infect as many systems as possible. When a computer is infected with ransomware, the next stage is for the infection to propagate over the entire local network. As a result, having a sacrificial network can be extremely beneficial.

For you, this network of computers will function as an early warning system. Low-rpm hard discs with little random files are used in these machines. The ransomware will take longer to encrypt your data and files this way. You’ll have enough time to audit all of your activities and, most importantly, back up your data.

Employ Next-Generation Firewalls

Next-generation firewalls can be used to scan for ransomware. If your network has any suspicious behaviour, this firewall will detect it and stop it. Make sure your firewall is up to date.

Have a Security Suite

Using the strength of a security suite that includes a firewall, anti-malware, and anti-virus, you can detect ransomware on your computer. You can rely on the software if it is legitimate. This is due to the fact that a team of professionals is on call 24 hours a day, 7 days a week to ensure the finest protection for its customers.

If you are a home user, it may be costly, but it is ultimately worth the investment.

Why Should You Hire a Professional?

If your website has been infected with the B0r0nt0k ransomware, you should seek professional help. This is, without a doubt, a grave situation, and it is all too easy to make things worse. One fantastic solution is to use WP Hacked’s expert services.

With years of knowledge, you can be confident that your company is always safe. We maintain a careful eye on any potential ransomware threat in the future. In addition, we provide solutions to the most common WordPress attacks and vulnerabilities.